BLYPT: A New Backdoor Family Installed via Java Exploit

Recently, we have observed a new backdoor family which we’ve called BLYPT. This family is called BLYPT because of its use of binary large objects (blob) stored in the registry, as well as encryption. Currently, this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey.

Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected.

Arrival and Installation

In one case, we found a Java exploit that was used to spread this attack. This particular exploit, detected as JAVA_EXPLOYT.HI, can be used to run arbitrary code. It exploits a vulnerability, CVE-2013-1493, that has been exploited since February 2013. It was patched in March.

The exploit is used to download an installer (saved as ~tmp{random values}.tmp), which is responsible for downloading and installing the main BLYPT component onto the affected system. It is named logo32.png or logo64.png, depending on whether the user is running a 32-bit or 64-bit version of Windows, respectively. The installer attempts to connect to three servers every 3 seconds, until it successfully downloads the backdoor component. If it fails, it will retry up to 32 times before it gives up.

We have identified two BLYPT variants, which can be identified based on the file name used to save the main BLYPT component. In both cases, they are saved in the %App Data%\Microsoft\Crypto\RSA directory. One variant is saved as NTCRYPT{random values}.TPL; the second variant is saved as CERTV{random values}.TPL. Both variants have 32- and 64-bit versiosons, and their behavior is mostly identical. (We detect these variants as BKDR_BLYPT.A, BKDR_BLYPT.B and BKDR64_BLYPT.B.)

Figure 1. Infection diagram for BKDR_BLYPT

One difference between the two is where their C&C server information is stored. The NTCRYPT{random values}.TPL variants do not actually contain any C&C information on their own; the installer instead saves C&C information in the registry that the BLYPT backdoor uses. The CERTV{random values}.TPL variants have their C&C server information embedded in the file itself. In both cases, the C&C information is stored in the registry under the HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\
5A82739996ED9EBA18F1BBCDCCA62D2C1D670C\Blob key.

While the C&C server information is stored in the same key, their formatting is different. For the first variant, once decoded, the information is in plain text and in the following format:

Both variants encrypt their information using alleged (arc4) and use “http://microsoft.com” as the decryption key.

One more note about the installer: it provides instant feedback on the status of the install by accessing a URL on the malicious server, which actually serves as a status report. The URL would be: http://{malicious server}/index.aspx?info=<status keyword>. The status keyword can be any of the following:

startupkey_%d where %d = RegCreateKeyW return

reuse

configkey_%d where %d = RegCreateKeyA return

configkeyvalue_%d where %d = RegSetValueExA return

tserror_4_%d where %d = GetLastError from call to connect

createproc_%d where %d = GetLastError from call to CreateProcessW

reusereboot_%d_%d_%d

C&C Server Attribution

By decoding the configuration files used by this malware, we were able to determine the distribution of the C&C servers used by this threat, as seen in the chart below:

Figure 2. Location of BLYPT C&C Servers

Other Behavior

In addition to the C&C info mentioned earlier, BLYPT stores other information in the registry in the form of embedded “blobs”. These are as follows:

Table 1. Blobs used by BLYPT

As a backdoor, BLYPT also allows an attacker to send commands to an affected system. Among the commands than can be executed are:

Receive updated DLL binary

Receive updated configuration

Receive HTTP request commands, such as:

Send GET request to http://103.31.186.19:1000/FetchIP.aspx to retrieve public IP of affected machine

Security Predictions for 2018

Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.Read our security predictions for 2018.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.